By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Enabling and Centralizing S3, VPC, and Load Balancer Access Logs Across Multiple AWS Accounts

0

I manage multiple AWS accounts and need to enable access logging for S3 buckets, VPCs, and Load Balancers. How can I configure these logs for each account and centralize them in a single "Log" account?

Topics
Management & GovernanceDeveloper ToolsNetworking & Content DeliveryStorage
Tags
AWS OrganizationsMonitoring & LoggingVPC Flow LogsAmazon S3 Access Grants
Language
English
Tatev
asked 6 days ago92 views
1 Answer
1

The trivial answer will be to create a logging bucket allowing different accounts to write to it via Bucket Policies. Then you enable the logging for every service to point to that bucket.

A bucket policy may be like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountLogging",
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::ACCOUNT-ID-1:root", "arn:aws:iam::ACCOUNT-ID-2:root"]
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-log-bucket/*"
    }
  ]
}
profile picture
EXPERT
Giovanni Lauria
answered 5 days ago
profile pictureAWS
EXPERT
iBehr
reviewed 5 days ago

Relevant content